I updated the patch. The most recent version is now available at
http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_31-1_3_41-v4.patch
In addition to the v3 version of the patch, it now also contains a
backport of the SSLInsecureRenegotiation directive introduced in Apache
httpd 2.2.15 in combination with OpenSSL 0.9.8m and beyond.
The patch needs some more testing, but backport was straightforward.
Regards,
Rainer
On 01.01.2010 21:44, Rainer Jung wrote:
On 29.12.2009 22:57, John Lightsey wrote:
On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote:
On 23.11.2009 18:57, John Lightsey wrote:
On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
Thanks again. I updated the patch:
http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch
The only changes are in ssl_engine_io.c, where the declaration of "char
*reneg" is moved 4 times to the beginning of the function. Anything else
you observed?
I received a report of segfaults caused by this patch. They happen when
you have Apache proxy connections to a SSL destination. IE:
RewriteRule ^/(.*) https://other_site.com/$1 [P]
The segfault happens at:
reneg = ap_ctx_get(c->client->ctx, "ssl::reneg");
in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL.
#0 0x0000000000454bb5 in ssl_io_suck_read (ssl=0x10a26070,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275
actx = (ap_ctx *) 0x10a26070
ss = (struct ssl_io_suck_st *) 0x0
r = (request_rec *) 0x0
rv = 0
reneg = 0x0
c = (conn_rec *) 0x0
#1 0x0000000000454f31 in ssl_io_hook_read (fb=0x10a25c28,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394
ssl = (SSL *) 0x10a26070
c = (conn_rec *) 0x0
s = (server_rec *) 0x0
rc = 0
reneg = 0x0
#2 0x000000000049a00f in ap_hook_call_func (ap=0x7fff98699110,
he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649
v1 = (void *) 0x10a25c28
v2 = (void *) 0x107ccd88
v3 = 4096
v_rc = (void *) 0x7fff9869922c
v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0,
v_double = 0, v_ptr = 0x0}
rc = 1
#3 0x00000000004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read")
at ap_hook.c:382
i = 0
he = (ap_hook_entry *) 0x104f33b0
ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fff98699200, reg_save_area = 0x7fff98699140}}
rc = 0
#4 0x000000000046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88,
nbyte=4096) at buff.c:255
rv = 0
Thank you for your feedback and the analysis. I could reproduce this and
have updated the patch:
http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v3.patch
I tested with and without SSL_EXPERIMENTAL_PROXY and it worked for my
tests. The code doesn't try to change/fix renegotiation behaviour for
ssl on the client side when used as a proxy.
As always: feedback welcome!
Regards,
Rainer
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majord...@modssl.org
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majord...@modssl.org
